b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Uninstalled Computer Security Patches\n                  Continue to Put Computer Systems at Risk\n\n\n\n                                      September 21, 2006\n\n                              Reference Number: 2006-20-167\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 2(b) = Law Enforcement Guideline(s)\n 7 = Predecisional Staff Recommendations or Suggestions to Agency Decision Makers\n 8 = Information Reflecting the Bureau\xe2\x80\x99s Decision-making Processes\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               September 21, 2006\n\n\n MEMORANDUM FOR ACTING CHIEF INFORMATION OFFICER\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Uninstalled Computer Security Patches Continue\n                               to Put Computer Systems at Risk (Audit # 200520035)\n\n This report presents the results of our review to assess the effectiveness of the Internal Revenue\n Service\xe2\x80\x99s (IRS) practices for ensuring the identification and installation of security updates for\n computer systems and applications.\n\n Impact on the Taxpayer\n When vendors identify security flaws with their systems, they make security patches1 available to\n be installed on their customers\xe2\x80\x99 computers. The IRS process for installing patches has not\n ensured all of its 100,000 computers have been adequately protected. As a result, sensitive\n taxpayer information is more susceptible to unauthorized disclosure to hackers and unethical\n employees and contractors, and computer systems are more vulnerable to disruptions of\n operations that could jeopardize and waste taxpayer dollars.\n\n Synopsis\n In May 2004, the IRS suffered one of its most significant computer security incidents when the\n Sasser Worm2 propagated itself throughout the entire IRS computer network. The incident could\n have been avoided if an available security patch had been installed on infected systems.\n\n\n 1\n   A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\n computer for the flaw to be corrected.\n 2\n   The Sasser Worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\n computers and transferred additional exploit code to the computers. It also probed for other computers to infect.\n This Worm rendered computers inoperable.\n\x0c                                   Uninstalled Computer Security Patches\n                                  Continue to Put Computer Systems at Risk\n\n\n\nOperational organizations within the IRS were notified numerous times by the Office of Mission\nAssurance and Security Services to install the patch from April 14, 2004, when the patch became\navailable, through May 2, 2004, when the Worm first infected IRS systems. However, the patch\nwas not applied to servers consistently and was not applied to any workstations. The Worm cost\nthe IRS an estimated $3.6 million in lost salaries and $50.6 million in lost or delayed tax\nassessments and tax collections.3\nFrom June 2001 through February 2006, we issued 11 reports containing patch management\nissues.4 During our current and prior reviews, we found patch identification, testing, and\nmonitoring efforts were generally adequate. The IRS has\nestablished a vulnerability and remediation group tasked\n                                                               Despite recent improvements\nwith identifying software for improving the overall                to patch management\nmanagement of this process. Additionally, the IRS has         practices, the IRS continues to\nimplemented corrective actions related to patch                 have unpatched computers\nmanagement issues from our prior reports. Finally, during      throughout  its infrastructure.\nthe aftermath of the Sasser Worm incident, the IRS\nconducted an internal review that identified breakdowns in\nprocedures and recommended corrective actions to prevent such events from recurring.\nAlthough the IRS has made commendable progress towards improving its patch management\nprocesses, controls over patch implementation continue to allow unpatched systems. For\nexample:\n    \xe2\x80\xa2   The IRS\xe2\x80\x99 own monitoring efforts determined several essential security patches were not\n        installed on Windows-based workstations and servers. An IRS report dated\n        November 22, 2005, showed 33 critical patches were missing from a significant number\n        of workstations and servers.\n    \xe2\x80\xa2   Our review of the IRS\xe2\x80\x99 Common Operating Environment5 noted 28 percent of the\n        Windows workstations reviewed were missing security patches.\n    \xe2\x80\xa2   Our review of the Tivoli\xc2\xae Software Suite6 noted security patches were successfully\n        installed only 67 percent of the time on Windows-based computers.\n    \xe2\x80\xa2   Nine other reviews noted patches were not installed to varying degrees on various\n        computer systems.\n\n\n3\n  The $50.6 million estimate was identified by the IRS in its post-Sasser Worm evaluation soon after the incident\noccurred. The IRS has since stated that tax assessments and tax collections would have been processed by the IRS\nin subsequent tax periods and, therefore, do not represent actual losses.\n4\n  See Appendix IV for a list of the audit reports included in this review.\n5\n  See Appendix IV, Report 1.\n6\n  See Appendix IV, Report 2. Tivoli\xc2\xae is a registered trademark owned by International Business Machines.\n                                                                                                                    2\n\x0c                               Uninstalled Computer Security Patches\n                              Continue to Put Computer Systems at Risk\n\n\n\nThe patches were not always installed for two primary reasons: the automated approach used to\ninstall patches on Windows-based systems did not always have valid connections to the systems\nrequiring patching, and system administrators did not always install patches due to the impact\nthey believed such patches would have on systems under their control or due to the\nlabor-intensive process of manually installing patches on numerous systems.\nAs for its internal review of the Sasser Worm incident, the IRS either took no corrective actions\nor did not complete corrective actions for 3 of the 10 recommendations. While the IRS has\nformed a group to develop stronger patch management controls, the scope of the group\xe2\x80\x99s work is\nlimited and not designed to address the causes mentioned above. As of September 2005, the\ngroup estimated full implementation of the controls within its scope may not occur for an\nadditional 12 months to 18 months.\nIneffective IRS patch management practices continue to put the IRS network at risk. The IRS\ncontinues to be exposed to network intrusions that could result in enormous financial impact\nrelated to lost or delayed tax assessments and collections and nonfinancial impact related to lost\nproductivity, similar to the effects that occurred when the Sasser Worm infiltrated the IRS.\n\nRecommendation\nBecause we have included recommendations related to patch management issues in our prior\naudit reports and the IRS is taking actions to address patch management, we made no additional\nrecommendations in this report. We will continue to monitor the IRS\xe2\x80\x99 patch management\nstrategy and report any actions taken to eliminate the risks or deficiencies identified in our future\nsecurity-related reviews.\n\nResponse\nIRS management agreed with the facts in our report and noted they continue to take aggressive\napproaches towards improving the patch management process. The IRS has developed a\nself-install script (computer program) that identifies and installs patches on workstations and\nlaptops. A nationwide roll out of this script is scheduled to be completed by February 2007. The\nIRS has also taken steps to improve the success rate of patch distributions to workstations.\nThese steps include aggressive management of Tivoli\xc2\xae endpoints and considering an approach\nthat would not allow workstations onto the network until missing patches are updated.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report finding.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant\nInspector General for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n                                                                                                     3\n\x0c                                        Uninstalled Computer Security Patches\n                                       Continue to Put Computer Systems at Risk\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Patch Installation Practices Continue to Result in Unpatched\n          Computer Systems ........................................................................................Page 4\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 8\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 9\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 10\n          Appendix IV \xe2\x80\x93 Prior Treasury Inspector General for Tax Administration\n          Audit Reports With Security Patch Management Issues ..............................Page 11\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 13\n\x0c         Uninstalled Computer Security Patches\n        Continue to Put Computer Systems at Risk\n\n\n\n\n             Abbreviations\n\nCIO       Chief Information Officer\nCOE       Common Operating Environment\nCSIRC     Computer Security Incident Response Center\nIRS       Internal Revenue Service\n\x0c                                  Uninstalled Computer Security Patches\n                                 Continue to Put Computer Systems at Risk\n\n\n\n\n                                           Background\n\nA 2004 Computer Security Institute and Federal Bureau of Investigation survey1 showed that\n91 percent of the respondents believed their computer system intrusions could have been\nprevented if system administrators had implemented patches for countering known\nvulnerabilities. A patch is a fix of a design flaw in a\ncomputer program. Patches must be installed or            A patch is a fix of a design flaw in\napplied to the appropriate computer for the flaw to          a computer program. When\nbe corrected. While vendors try to address known           patches are not installed timely,\nsecurity flaws immediately, a time gap occurs from             hackers could exploit the\nwhen the problem becomes publicly known until the        unpatched   weakness and assume\n                                                                control of a computer.\nvendor prepares the update to correct the flaw and\nusers install the update. This gap, which provides potential intruders an opportunity to take\nadvantage of the known flaws and mount attacks on vulnerable computers and networks, is\nbecoming increasingly shorter as technology increases and hackers get wiser.\nFor this reason, it is critical, particularly for high-risk security vulnerabilities, that organizations\napply security patches as quickly as possible. The potential risk of an unpatched weakness\nvaries, depending on the nature of the weakness. A hacker could exploit an unpatched weakness\nand take over control of a computer to access its contents (e.g., user accounts, password\ninformation), use the computer as a launching point to attack other computers, or simply damage\nthe computer so no one else can use or access it.\nThe actual installation of a patch appears to be a simple task. However, two factors complicate\nand challenge this task. First, all computers to which the patch applies must be identified and\npatched. The larger the organization, the more computers are likely to exist and be affected by\nvulnerabilities. Second, there are thousands of vulnerabilities being identified each year. The\nCERT\xc2\xae Coordination Center2 determined 5,990 security vulnerabilities were reported during\n2005. Vulnerabilities are generally spread across different software products. The more types of\nsoftware used within an organization, the more difficult the task of patching all affected software\nproducts becomes.\nThe Internal Revenue Service (IRS) is a large organization with almost 100,000 employees and\nis very reliant on automation and the use of computers to administer the nation\xe2\x80\x99s tax system. It\n\n\n1\n  The 2004 Computer Crime and Security Survey was conducted by the Computer Security Institute with\nparticipation of the San Francisco Federal Bureau of Investigation\xe2\x80\x99s Computer Intrusion Squad. The 2004 survey\nresults were based on the responses of 494 computer security practitioners across the United States.\n2\n  The CERT\xc2\xae Coordination Center is a center of Internet security expertise located at the Software Engineering\nInstitute, a Federally funded research and development center operated by the Carnegie Mellon University.\n                                                                                                         Page 1\n\x0c                                       Uninstalled Computer Security Patches\n                                      Continue to Put Computer Systems at Risk\n\n\n\nhas over 100,000 computers containing various operating systems and applications.\nConsequently, the seemingly easy task of patching computers turns into a monumental effort.\nComputer security patching can be segmented into four basic processes: identification, testing,\ndistribution and installation, and monitoring and follow-up.\n       1. Patch identification involves actively monitoring vendor and other information sources\n          for known vulnerabilities and their related patches.\n       2. Patch testing involves conducting tests on a patch to ensure there are no unintended\n          consequences when the patch is installed on affected computers.\n       3. Patch distribution and installation involve ensuring patches get distributed to the\n          appropriate functions and installed on all affected computers.\n       4. Patch monitoring and follow-up involve the active monitoring of systems, to identify any\n          systems without required patches, and follow-up efforts to ensure patches ultimately get\n          installed on these systems.\nVarious organizations within the IRS manage the patch process. The Computer Security\nIncident Response Center (CSIRC) within the Office of Mission Assurance and Security\nServices has primary responsibility for identifying and notifying the Chief Information Officer\n(CIO) and business unit organizations about the availability of patches. It also conducts patch\nmonitoring and follow-up. Upon being notified of patches, system administrators from various\nfunctions under the CIO and business units conduct patch testing, installation, monitoring, and\nfollow-up, depending on the type of computer and user. For example, the End User Equipment\nand Services organization under the CIO is responsible for end-user computers, so it is also\nresponsible for testing, installing, and following up on patches for IRS employees\xe2\x80\x99 computers.\nThis review was performed in the office of the CIO at the IRS National Headquarters in\nWashington, D.C., and New Carrollton, Maryland, during the period November 2005 through\nApril 2006. This review also relied on results presented in 11 of our security-related audit\nreports issued from June 2001 through February 2006.3 The audit was conducted in accordance\nwith Government Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n3\n    See Appendix IV for a list of the audit reports included in this review.\n                                                                                                Page 2\n\x0c                                   Uninstalled Computer Security Patches\n                                  Continue to Put Computer Systems at Risk\n\n\n\n\n                                      Results of Review\n\nIn May 2004, the IRS suffered one of its most significant computer security incidents when the\nSasser Worm4 propagated itself throughout the entire IRS computer network. The incident could\nhave been avoided if an available security patch had been installed on infected systems.\nOperational organizations within the IRS were notified numerous times to install the patch from\nApril 14, 2004, when the patch became available, through May 2, 2004, when the Worm first\ninfected IRS systems. However, the patch was not applied to servers consistently and was not\napplied to any workstations. The Worm cost the IRS an estimated $3.6 million in lost salaries\nand $50.6 million in lost or delayed tax assessments and tax collections.5\nDuring our current and prior reviews, we found patch identification, testing, and monitoring\nefforts were generally adequate. For example:\n    \xe2\x80\xa2   Patch identification processes were generally in place and operating effectively. The\n        CSIRC was primarily responsible for monitoring the computer industry and maintaining\n        contacts with major computer vendors to identify when vulnerabilities become known\n        and for evaluating the criticality of available security patches for the entire IRS. The\n        CSIRC then notified IRS functions of existing vulnerabilities and the related security\n        patches. The criticality of vulnerabilities and patches was based on risk, with the highest\n        risk vulnerabilities requiring patching within 72 hours from when they were identified by\n        the IRS.\n    \xe2\x80\xa2   Patch testing procedures had been established and were in place. Once the patches\n        became available, the appropriate IRS functions would test the patches to ensure they did\n        not detrimentally affect existing systems. After the patches passed testing, they were\n        distributed for installation on appropriate systems.\n    \xe2\x80\xa2   Patch monitoring efforts were identifying unpatched systems effectively. IRS functions\n        monitored systems using various methods. Windows-based systems were perpetually\n        scanned for missing patches. An internal computer program6 was used for scanning\n        non-Windows systems. The CSIRC also conducted periodic scanning for vulnerabilities.\n\n\n4\n  The Sasser Worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploit code to the computers. It also probed for other computers to infect.\nThis Worm rendered computers inoperable.\n5\n  The $50.6 million estimate was identified by the IRS in its post-Sasser Worm evaluation soon after the incident\noccurred. The IRS has since stated that tax assessments and tax collections would have been processed by the IRS\nin subsequent tax periods and, therefore, do not represent actual losses.\n6\n  The Law Enforcement Manual Checker is an internally developed software suite designed to scan computer\nsystems to ensure compliance with various computer security standards required by the IRS.\n                                                                                                           Page 3\n\x0c                               Uninstalled Computer Security Patches\n                              Continue to Put Computer Systems at Risk\n\n\n\nDuring Fiscal Year 2005, the IRS established a vulnerability and remediation group tasked with\nidentifying software for improving the overall management of the patching process. This group\nincludes managers and technicians from IRS computer security and operations functions. During\nthe first phase of this project, the group identified whether any vendor software existed that could\nimprove the IRS patch management process. The second phase of this project would involve\nimplementing any software procured.\nAdditionally, the IRS has implemented corrective actions from our prior reports containing patch\nmanagement issues. For example, the IRS established procedures for identifying, testing, and\nmonitoring security patches. Finally, the IRS conducted an internal review during the aftermath\nof the Sasser Worm incident. This review identified breakdowns in procedures and\nrecommended corrective actions to prevent such an occurrence from happening again. These\nissues included breakdowns in the communication and implementation processes that have since\nbeen addressed.\nAlthough the IRS has made commendable progress towards improving its patch management\nprocesses, controls over patch installation continue to require attention.\n\nPatch Installation Practices Continue to Result in Unpatched\nComputer Systems\nThe IRS installs patches on its computers either through automated processes or by having\nsystem administrators manually apply the patches to specific servers or workstations under their\ncontrol. However, these processes did not always ensure required patches were installed on all\ncomputers. We identified the following problems with patch installation:\n   \xe2\x80\xa2   The IRS\xe2\x80\x99 own monitoring efforts determined that several essential security patches were\n       not installed on Windows-based workstations\n       and servers. An IRS report dated                      Despite recent improvements\n       November 22, 2005, presented the results of               to patch management\n       patch scanning conducted on 4,060 Windows            practices, the IRS continues to\n       servers and 95,034 Windows workstations; it            have unpatched computers\n       showed that 33 critical patches were missing          throughout  its infrastructure.\n       from both workstations and servers. Overall,\n       the report showed there were 9,478 occurrences\n       of 1 or more of these 33 patches missing from the 4,060 servers. The report also showed\n       227,976 occurrences of 1 or more of these 33 patches missing from the\n       95,034 workstations. The IRS requires that critical patches be distributed for installation\n       on systems within 72 hours from when they are identified by the IRS. While some of\n       these missing patches may have been superseded by subsequent patches, the overall\n       results demonstrate that many systems continue to go unpatched.\n\n\n                                                                                             Page 4\n\x0c\x0c\x0c                      Uninstalled Computer Security Patches\n                     Continue to Put Computer Systems at Risk\n\n\n\nroll out of this script is scheduled to be completed by February 2007. The IRS has also\ntaken steps to improve the success rate of patch distributions to workstations. These\nsteps include aggressive management of Tivoli\xc2\xae endpoints and considering an approach\nthat would not allow workstations onto the network until missing patches are updated.\n\n\n\n\n                                                                                  Page 7\n\x0c                                    Uninstalled Computer Security Patches\n                                   Continue to Put Computer Systems at Risk\n\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of the IRS\xe2\x80\x99 practices for\nensuring the identification and installation of security updates for computer systems and\napplications. To accomplish our objective, we:\nI.       Determined whether the IRS effectively distributed and installed patches by consulting\n         with appropriate staff and reviewing documentation, including IRS scans of\n         Windows-based servers and workstations.\nII.      Determined whether the IRS effectively tested patches prior to installation to applicable\n         computing devices by identifying and evaluating the testing process.\nIII.     Determined whether the IRS effectively followed up on patch installation and proactively\n         identified unpatched computers by consulting with appropriate organizations and\n         reviewing documentation.\nIV.      Determined the status and progress of IRS actions to address issues related to the Sasser\n         Worm1 by consulting with appropriate offices and reviewing relevant documentation.\nV.       Determined the status and progress of IRS actions to address recommendations from\n         eight Treasury Inspector General for Tax Administration reports issued from Fiscal Years\n         2001 through 2004 that contained issues related to patch management.\nVI.      Reviewed the results from three Treasury Inspector General for Tax Administration\n         reports issued after Fiscal Year 2004 that contained issues related to patch management.\n         We did not review IRS actions to address the recommendations contained in these three\n         reports because corrective actions had not been completed at the time of our review.\nVII.     Determined the status of the IRS vulnerability and remediation group for addressing\n         security patch issues.\n\n\n\n\n1\n The Sasser Worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploit code to the computers. It also probed for other computers to infect.\nThis Worm rendered computers inoperable.\n                                                                                                             Page 8\n\x0c                            Uninstalled Computer Security Patches\n                           Continue to Put Computer Systems at Risk\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nKent Sagara, Acting Director\nJoseph Cooney, Acting Audit Manager\nBret Hunter, Lead Auditor\nJody Kitazono, Senior Auditor\nLarry Reimer, Senior Auditor\n\n\n\n\n                                                                                         Page 9\n\x0c                           Uninstalled Computer Security Patches\n                          Continue to Put Computer Systems at Risk\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Mission Assurance and Security Services OS:MA\nDeputy Chief Information Officer OS:CIO\nAssociate Chief Information Officer, End User Equipment and Services OS:CIO:EU\nAssociate Chief Information Officer, Enterprise Networks OS:CIO:EN\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nDirector, Information Security OS:CIO:IS\nDirector, Enterprise Systems Management OS:CIO:EU:ESM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                                 Page 10\n\x0c                                     Uninstalled Computer Security Patches\n                                    Continue to Put Computer Systems at Risk\n\n\n\n                                                                                  Appendix IV\n\n                Prior Treasury Inspector General for Tax\n                   Administration Audit Reports With\n                   Security Patch Management Issues\n\nThe following Treasury Inspector General for Tax Administration audit reports contain patch\nmanagement issues.\n      1. Secure Configurations Are Initially Established on Employee Computers, but\n         Enhancements Could Ensure Security Is Strengthened After Implementation (Reference\n         Number 2006-20-031, dated February 2006).\n      2. Progress Has Been Made on Using the Tivoli\xc2\xae Software Suite,1 Though Enhancements\n         Are Needed to Better Distribute Software Updates and Reconcile Computer Inventories\n         (Reference Number 2006-20-021, dated December 2005).\n      3. The Computer Security Incident Response Center Is Operating As Intended, Although\n         Some Enhancements Can Be Made (Reference Number 2005-20-143, dated\n         September 2005).\n      4. Penetration Test of Internal Revenue Service Computer Systems (Reference\n         Number 2004-20-073, dated April 2004).\n      5. Key Security Controls of the Criminal Investigation Management Information System\n         Have Not Been Implemented (Reference Number 2004-20-081, dated March 2004).\n      6. Inadequate Accountability and Training for Key Security Employees Contributed to\n         Significant Computer Security Weaknesses (Reference Number 2004-20-027, dated\n         January 2004).\n      7. Security Over Computers Used in Telecommuting Needs to Be Strengthened (Reference\n         Number 2003-20-118, dated July 2003).\n      8. Penetration Test of Internal Revenue Service Computer Systems (Reference\n         Number 2003-20-082, dated March 2003).\n\n\n\n1\n    Tivoli\xc2\xae is a registered trademark owned by International Business Machines.\n\n\n\n                                                                                       Page 11\n\x0c                         Uninstalled Computer Security Patches\n                        Continue to Put Computer Systems at Risk\n\n\n\n9. Controls Over the Excise Files Information Retrieval System Website Should Be\n   Improved to Better Deter and Detect External Attacks (Reference Number 2002-20-064,\n   dated April 2002).\n10. Controls Over the Procurement Website Should Be Improved to Better Deter and Detect\n    External Attacks (Reference Number 2002-20-045, dated January 2002).\n11. Controls Over the Internet Gateway Should Be Improved to Better Deter and Detect\n    External Attacks (Reference Number 2001-20-101, dated June 2001).\n\n\n\n\n                                                                                 Page 12\n\x0c           Uninstalled Computer Security Patches\n          Continue to Put Computer Systems at Risk\n\n\n\n                                                 Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                      Page 13\n\x0c Uninstalled Computer Security Patches\nContinue to Put Computer Systems at Risk\n\n\n\n\n                                           Page 14\n\x0c'